search

qgis / QGIS

QGIS is a free, open source, cross platform (lin/win/mac) geographical information system (GIS)
https://qgis.org
GNU General Public License v2.0
10.59k stars 3k forks source link

ActiveDirectory Authentication Support #50003

Open vovchykbratyk opened 2 years ago

vovchykbratyk commented 2 years ago

Feature description

Need QGIS to be able to authenticate to resources that support AD authentication (e.g., PostGIS, MSSQL, Oracle, etc).

Additional context

Most large professional enterprises use AD for domain resource access/authentication management. While QGIS does not support AD, it inhibits its potential for adoption in enterprises.

komima commented 2 years ago

For PostGIS at least (I'd assume other drivers could work similarly?) just omitting username & password from the datasource uri works quite well.

Without explicit connection details given, postgresql provider (libpq) will fall back to use whatever is configured by standard env vars and also if those all are missing, at least domain-joined Windows machines (that fetch a kerberos TGT on login) will fetch a kerberos ticket for the db host and use gssapi automatically without user ever needing to give any login details. This requires the db itself is configured to support gssapi.

jonnyforestGIS commented 2 years ago

This kind of authentication AD can be done using LDAPS protocol and set as a backend authentication service in the databases.

Nowadays I have PostgreSQL with ldaps configuration that binds with users of AD using LDAPS protocol. So in this scenario, if you add a user in AD, you can map this user in PostgreSQL and login in QGIS. The only thing that you need to have is synchronization between AD (via LDAPS protocol) users and PostgreSQL users to keep all updated (users and rules).

The Active Directory is a proprietary service from Microsoft and uses LDAP or LDAPS as core protocol to communicate. Quick search I found this to explain the difference between AD vs LDAP (https://www.n-able.com/blog/difference-between-ldap-ad).

Some extra LDAP configuration info: Database configuration: https://www.postgresql.org/docs/current/auth-ldap.html https://docs.oracle.com/cd/B14099_19/idmanage.1012/b14082/intro.htm

Some tools or hacks for LDAP sync configurations with AD: https://ldap2pg.readthedocs.io/en/latest/ https://wiki.postgresql.org/wiki/LDAP_Authentication_against_AD https://github.com/larskanis/pg-ldap-sync